Move missing passwords in etherpad to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-20 15:50:00 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-20 15:50:00 +0200
commit: e905cd0bda71f359597ecb1f4554d3edb27e2ccb (patch)
tree: 400a78ec5a07f45a224177c5d87a6cfc7863259c /nixops/modules
parent: b9c11a4dfd5afab304503fd61efe773b5a0da6a7 (diff)
download: Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.tar.gz
Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.tar.zst
Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.zip
2 files changed, 116 insertions, 104 deletions
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix
index 6d845ac..7fdcb57 100644
--- a/nixops/modules/websites/tools/ether/default.nix
+++ b/nixops/modules/websites/tools/ether/default.nix
@@ -16,8 +16,8 @@ in {
    systemd.services.etherpad-lite = {
      description = "Etherpad-lite";
      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ];
+      after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
-      wants = [ "postgresql.service" "tools-etherpad-key.service" ];
+      wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
      environment.NODE_ENV = "production";
      environment.HOME = etherpad.webappDir;
@@ -44,7 +44,7 @@ in {
        Restart = "always";
        Type = "simple";
        TimeoutSec = 60;
-        ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad";
+        ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey";
      };
    };
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix
index bc62262..689156e 100644
--- a/nixops/modules/websites/tools/ether/etherpad_lite.nix
+++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix
@@ -30,109 +30,121 @@ let
    "ep_subscript_and_superscript"
    "ep_timesliderdiff"
    ];
-  keys.tools-etherpad = {
+  keys = {
-    destDir = "/run/keys/webapps";
+    tools-etherpad-apikey = {
-    permissions = "0400";
+      destDir = "/run/keys/webapps";
-    text =
+      permissions = "0400";
-      # Make sure we’re not rebuilding whole libreoffice just because of a
+      text = env.api_key;
-      # dependency
+    };
-      let libreoffice = (import <nixpkgs> {}).libreoffice-fresh;
+    tools-etherpad-sessionkey = {
-      in
+      destDir = "/run/keys/webapps";
-      ''
+      permissions = "0400";
-        {
+      text = env.session_key;
-          "title": "Etherpad",
+    };
-          "favicon": "favicon.ico",
+    tools-etherpad = {
+      destDir = "/run/keys/webapps";
+      permissions = "0400";
+      text =
+        # Make sure we’re not rebuilding whole libreoffice just because of a
+        # dependency
+        let libreoffice = (import <nixpkgs> {}).libreoffice-fresh;
+        in
+        ''
+          {
+            "title": "Etherpad",
+            "favicon": "favicon.ico",
-          "ip": "127.0.0.1",
+            "ip": "127.0.0.1",
-          "port" : ${env.listenPort},
+            "port" : ${env.listenPort},
-          "showSettingsInAdminPage" : false,
+            "showSettingsInAdminPage" : false,
-          "dbType" : "postgres",
+            "dbType" : "postgres",
-          "dbSettings" : {
+            "dbSettings" : {
-            "user"    : "${env.postgresql.user}",
+              "user"    : "${env.postgresql.user}",
-            "host"    : "${env.postgresql.socket}",
+              "host"    : "${env.postgresql.socket}",
-            "password": "${env.postgresql.password}",
+              "password": "${env.postgresql.password}",
-            "database": "${env.postgresql.database}",
+              "database": "${env.postgresql.database}",
-            "charset" : "utf8mb4"
+              "charset" : "utf8mb4"
-          },
+            },
-          "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
+            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
-          "padOptions": {
+            "padOptions": {
-            "noColors": false,
+              "noColors": false,
-            "showControls": true,
+              "showControls": true,
-            "showChat": true,
+              "showChat": true,
-            "showLineNumbers": true,
+              "showLineNumbers": true,
-            "useMonospaceFont": false,
+              "useMonospaceFont": false,
-            "userName": false,
+              "userName": false,
-            "userColor": false,
+              "userColor": false,
-            "rtl": false,
+              "rtl": false,
-            "alwaysShowChat": false,
+              "alwaysShowChat": false,
-            "chatAndUsers": false,
+              "chatAndUsers": false,
-            "lang": "en-gb"
+              "lang": "en-gb"
-          },
+            },
-          "suppressErrorsInPadText" : false,
+            "suppressErrorsInPadText" : false,
-          "requireSession" : false,
+            "requireSession" : false,
-          "editOnly" : false,
+            "editOnly" : false,
-          "sessionNoPassword" : false,
+            "sessionNoPassword" : false,
-          "minify" : true,
+            "minify" : true,
-          "maxAge" : 21600,
+            "maxAge" : 21600,
-          "abiword" : null,
+            "abiword" : null,
-          "soffice" : "${libreoffice}/bin/soffice",
+            "soffice" : "${libreoffice}/bin/soffice",
-          "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
+            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
-          "allowUnknownFileEnds" : true,
+            "allowUnknownFileEnds" : true,
-          "requireAuthentication" : false,
+            "requireAuthentication" : false,
-          "requireAuthorization" : false,
+            "requireAuthorization" : false,
-          "trustProxy" : false,
+            "trustProxy" : false,
-          "disableIPlogging" : false,
+            "disableIPlogging" : false,
-          "automaticReconnectionTimeout" : 0,
+            "automaticReconnectionTimeout" : 0,
-          "scrollWhenFocusLineIsOutOfViewport": {
+            "scrollWhenFocusLineIsOutOfViewport": {
-            "percentage": {
+              "percentage": {
-              "editionAboveViewport": 0,
+                "editionAboveViewport": 0,
-              "editionBelowViewport": 0
+                "editionBelowViewport": 0
+              },
+              "duration": 0,
+              "scrollWhenCaretIsInTheLastLineOfViewport": false,
+              "percentageToScrollWhenUserPressesArrowUp": 0
            },
-            "duration": 0,
+            "users": {
-            "scrollWhenCaretIsInTheLastLineOfViewport": false,
+              "ldapauth": {
-            "percentageToScrollWhenUserPressesArrowUp": 0
+                "url": "ldaps://${env.ldap.host}",
-          },
+                "accountBase": "${env.ldap.base}",
-          "users": {
+                "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
-            "ldapauth": {
+                "displayNameAttribute": "cn",
-              "url": "ldaps://${env.ldap.host}",
+                "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
-              "accountBase": "${env.ldap.base}",
+                "searchPWD": "${env.ldap.password}",
-              "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
+                "groupSearchBase": "${env.ldap.base}",
-              "displayNameAttribute": "cn",
+                "groupAttribute": "member",
-              "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
+                "groupAttributeIsDN": true,
-              "searchPWD": "${env.ldap.password}",
+                "searchScope": "sub",
-              "groupSearchBase": "${env.ldap.base}",
+                "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
-              "groupAttribute": "member",
+                "anonymousReadonly": false
-              "groupAttributeIsDN": true,
+              }
-              "searchScope": "sub",
+            },
-              "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
+            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
-              "anonymousReadonly": false
+            "loadTest": false,
-            }
+            "indentationOnNewLine": false,
-          },
+            "toolbar": {
-          "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+              "left": [
-          "loadTest": false,
+                ["bold", "italic", "underline", "strikethrough"],
-          "indentationOnNewLine": false,
+                ["orderedlist", "unorderedlist", "indent", "outdent"],
-          "toolbar": {
+                ["undo", "redo"],
-            "left": [
+                ["clearauthorship"]
-              ["bold", "italic", "underline", "strikethrough"],
+              ],
-              ["orderedlist", "unorderedlist", "indent", "outdent"],
+              "right": [
-              ["undo", "redo"],
+                ["importexport", "timeslider", "savedrevision"],
-              ["clearauthorship"]
+                ["settings", "embed"],
-            ],
+                ["showusers"]
-            "right": [
+              ],
-              ["importexport", "timeslider", "savedrevision"],
+              "timeslider": [
-              ["settings", "embed"],
+                ["timeslider_export", "timeslider_returnToPad"]
-              ["showusers"]
+              ]
-            ],
+            },
-            "timeslider": [
+            "loglevel": "INFO",
-              ["timeslider_export", "timeslider_returnToPad"]
+            "logconfig" : { "appenders": [ { "type": "console" } ] }
-            ]
+          }
-          },
+        '';
-          "loglevel": "INFO",
+    };
-          "logconfig" : { "appenders": [ { "type": "console" } ] }
-        }
-      '';
  };
  webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec {
    __noChroot = true;
@@ -170,8 +182,8 @@ let
      install -t $out/src/ -vDm 644 src/.ep_initialized
      cp -a node_modules $out/
      cp -a src/* $out/src/
-      ln -sf ${sessionkey} $out/SESSIONKEY.txt
+      ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt
-      ln -sf ${apikey} $out/APIKEY.txt
+      ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt
      cp ${jquery} $out/src/static/js/jquery.js
      mkdir $out/doc
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-20 15:50:00 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-20 15:50:00 +0200
commit	e905cd0bda71f359597ecb1f4554d3edb27e2ccb (patch)
tree	400a78ec5a07f45a224177c5d87a6cfc7863259c /nixops/modules
parent	b9c11a4dfd5afab304503fd61efe773b5a0da6a7 (diff)
download	Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.tar.gz Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.tar.zst Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.zip

diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index 6d845ac..7fdcb57 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix
@@ -16,8 +16,8 @@ in {
16	systemd.services.etherpad-lite = {	16	systemd.services.etherpad-lite = {
17	description = "Etherpad-lite";	17	description = "Etherpad-lite";
18	wantedBy = [ "multi-user.target" ];	18	wantedBy = [ "multi-user.target" ];
19	after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ];	19	after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
20	wants = [ "postgresql.service" "tools-etherpad-key.service" ];	20	wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
21		21
22	environment.NODE_ENV = "production";	22	environment.NODE_ENV = "production";
23	environment.HOME = etherpad.webappDir;	23	environment.HOME = etherpad.webappDir;
@@ -44,7 +44,7 @@ in {
44	Restart = "always";	44	Restart = "always";
45	Type = "simple";	45	Type = "simple";
46	TimeoutSec = 60;	46	TimeoutSec = 60;
47	ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad";	47	ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey";
48	};	48	};
49	};	49	};
50		50


diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index bc62262..689156e 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix
@@ -30,109 +30,121 @@ let
30	"ep_subscript_and_superscript"	30	"ep_subscript_and_superscript"
31	"ep_timesliderdiff"	31	"ep_timesliderdiff"
32	];	32	];
33	keys.tools-etherpad = {	33	keys = {
34	destDir = "/run/keys/webapps";	34	tools-etherpad-apikey = {
35	permissions = "0400";	35	destDir = "/run/keys/webapps";
36	text =	36	permissions = "0400";
37	# Make sure we’re not rebuilding whole libreoffice just because of a	37	text = env.api_key;
38	# dependency	38	};
39	let libreoffice = (import <nixpkgs> {}).libreoffice-fresh;	39	tools-etherpad-sessionkey = {
40	in	40	destDir = "/run/keys/webapps";
41	''	41	permissions = "0400";
42	{	42	text = env.session_key;
43	"title": "Etherpad",	43	};
44	"favicon": "favicon.ico",	44	tools-etherpad = {
		45	destDir = "/run/keys/webapps";
		46	permissions = "0400";
		47	text =
		48	# Make sure we’re not rebuilding whole libreoffice just because of a
		49	# dependency
		50	let libreoffice = (import <nixpkgs> {}).libreoffice-fresh;
		51	in
		52	''
		53	{
		54	"title": "Etherpad",
		55	"favicon": "favicon.ico",
45		56
46	"ip": "127.0.0.1",	57	"ip": "127.0.0.1",
47	"port" : ${env.listenPort},	58	"port" : ${env.listenPort},
48	"showSettingsInAdminPage" : false,	59	"showSettingsInAdminPage" : false,
49	"dbType" : "postgres",	60	"dbType" : "postgres",
50	"dbSettings" : {	61	"dbSettings" : {
51	"user" : "${env.postgresql.user}",	62	"user" : "${env.postgresql.user}",
52	"host" : "${env.postgresql.socket}",	63	"host" : "${env.postgresql.socket}",
53	"password": "${env.postgresql.password}",	64	"password": "${env.postgresql.password}",
54	"database": "${env.postgresql.database}",	65	"database": "${env.postgresql.database}",
55	"charset" : "utf8mb4"	66	"charset" : "utf8mb4"
56	},	67	},
57		68
58	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",	69	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
59	"padOptions": {	70	"padOptions": {
60	"noColors": false,	71	"noColors": false,
61	"showControls": true,	72	"showControls": true,
62	"showChat": true,	73	"showChat": true,
63	"showLineNumbers": true,	74	"showLineNumbers": true,
64	"useMonospaceFont": false,	75	"useMonospaceFont": false,
65	"userName": false,	76	"userName": false,
66	"userColor": false,	77	"userColor": false,
67	"rtl": false,	78	"rtl": false,
68	"alwaysShowChat": false,	79	"alwaysShowChat": false,
69	"chatAndUsers": false,	80	"chatAndUsers": false,
70	"lang": "en-gb"	81	"lang": "en-gb"
71	},	82	},
72		83
73	"suppressErrorsInPadText" : false,	84	"suppressErrorsInPadText" : false,
74	"requireSession" : false,	85	"requireSession" : false,
75	"editOnly" : false,	86	"editOnly" : false,
76	"sessionNoPassword" : false,	87	"sessionNoPassword" : false,
77	"minify" : true,	88	"minify" : true,
78	"maxAge" : 21600,	89	"maxAge" : 21600,
79	"abiword" : null,	90	"abiword" : null,
80	"soffice" : "${libreoffice}/bin/soffice",	91	"soffice" : "${libreoffice}/bin/soffice",
81	"tidyHtml" : "${pkgs.html-tidy}/bin/tidy",	92	"tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
82	"allowUnknownFileEnds" : true,	93	"allowUnknownFileEnds" : true,
83	"requireAuthentication" : false,	94	"requireAuthentication" : false,
84	"requireAuthorization" : false,	95	"requireAuthorization" : false,
85	"trustProxy" : false,	96	"trustProxy" : false,
86	"disableIPlogging" : false,	97	"disableIPlogging" : false,
87	"automaticReconnectionTimeout" : 0,	98	"automaticReconnectionTimeout" : 0,
88	"scrollWhenFocusLineIsOutOfViewport": {	99	"scrollWhenFocusLineIsOutOfViewport": {
89	"percentage": {	100	"percentage": {
90	"editionAboveViewport": 0,	101	"editionAboveViewport": 0,
91	"editionBelowViewport": 0	102	"editionBelowViewport": 0
		103	},
		104	"duration": 0,
		105	"scrollWhenCaretIsInTheLastLineOfViewport": false,
		106	"percentageToScrollWhenUserPressesArrowUp": 0
92	},	107	},
93	"duration": 0,	108	"users": {
94	"scrollWhenCaretIsInTheLastLineOfViewport": false,	109	"ldapauth": {
95	"percentageToScrollWhenUserPressesArrowUp": 0	110	"url": "ldaps://${env.ldap.host}",
96	},	111	"accountBase": "${env.ldap.base}",
97	"users": {	112	"accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
98	"ldapauth": {	113	"displayNameAttribute": "cn",
99	"url": "ldaps://${env.ldap.host}",	114	"searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
100	"accountBase": "${env.ldap.base}",	115	"searchPWD": "${env.ldap.password}",
101	"accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",	116	"groupSearchBase": "${env.ldap.base}",
102	"displayNameAttribute": "cn",	117	"groupAttribute": "member",
103	"searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",	118	"groupAttributeIsDN": true,
104	"searchPWD": "${env.ldap.password}",	119	"searchScope": "sub",
105	"groupSearchBase": "${env.ldap.base}",	120	"groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
106	"groupAttribute": "member",	121	"anonymousReadonly": false
107	"groupAttributeIsDN": true,	122	}
108	"searchScope": "sub",	123	},
109	"groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",	124	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
110	"anonymousReadonly": false	125	"loadTest": false,
111	}	126	"indentationOnNewLine": false,
112	},	127	"toolbar": {
113	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],	128	"left": [
114	"loadTest": false,	129	["bold", "italic", "underline", "strikethrough"],
115	"indentationOnNewLine": false,	130	["orderedlist", "unorderedlist", "indent", "outdent"],
116	"toolbar": {	131	["undo", "redo"],
117	"left": [	132	["clearauthorship"]
118	["bold", "italic", "underline", "strikethrough"],	133	],
119	["orderedlist", "unorderedlist", "indent", "outdent"],	134	"right": [
120	["undo", "redo"],	135	["importexport", "timeslider", "savedrevision"],
121	["clearauthorship"]	136	["settings", "embed"],
122	],	137	["showusers"]
123	"right": [	138	],
124	["importexport", "timeslider", "savedrevision"],	139	"timeslider": [
125	["settings", "embed"],	140	["timeslider_export", "timeslider_returnToPad"]
126	["showusers"]	141	]
127	],	142	},
128	"timeslider": [	143	"loglevel": "INFO",
129	["timeslider_export", "timeslider_returnToPad"]	144	"logconfig" : { "appenders": [ { "type": "console" } ] }
130	]	145	}
131	},	146	'';
132	"loglevel": "INFO",	147	};
133	"logconfig" : { "appenders": [ { "type": "console" } ] }
134	}
135	'';
136	};	148	};
137	webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec {	149	webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec {
138	__noChroot = true;	150	__noChroot = true;
@@ -170,8 +182,8 @@ let
170	install -t $out/src/ -vDm 644 src/.ep_initialized	182	install -t $out/src/ -vDm 644 src/.ep_initialized
171	cp -a node_modules $out/	183	cp -a node_modules $out/
172	cp -a src/* $out/src/	184	cp -a src/* $out/src/
173	ln -sf ${sessionkey} $out/SESSIONKEY.txt	185	ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt
174	ln -sf ${apikey} $out/APIKEY.txt	186	ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt
175	cp ${jquery} $out/src/static/js/jquery.js	187	cp ${jquery} $out/src/static/js/jquery.js
176		188
177	mkdir $out/doc	189	mkdir $out/doc